vars:
  - job-name: elastic+elasticsearch+%BRANCH%+periodic+java-fips-matrix
  - job-display-name: "elastic / elasticsearch # %BRANCH% - java fips compatibility matrix"
  - job-description: "Testing of the Elasticsearch %BRANCH% branch java FIPS compatibility matrix.\n"
  - matrix-yaml-file: ".ci/matrix-runtime-javas-fips.yml"
  - matrix-variable: ES_RUNTIME_JAVA

---
jjbb-template: periodic-trigger-lgc.yml
vars:
  - periodic-job: elastic+elasticsearch+%BRANCH%+periodic+java-fips-matrix
  - lgc-job: elastic+elasticsearch+%BRANCH%+intake

// Common config when running with a FIPS-140 runtime JVM
if (BuildParams.inFipsJvm) {

  allprojects {
    String javaSecurityFilename = BuildParams.runtimeJavaDetails.toLowerCase().contains('oracle') ? 'fips_java_oracle.security' : 'fips_java.security'
    File fipsResourcesDir = new File(project.buildDir, 'fips-resources')
    File fipsSecurity = new File(fipsResourcesDir, javaSecurityFilename)

---
- job:
    name: "elastic+elasticsearch+pull-request+part-1-fips"
    display-name: "elastic / elasticsearch - pull request part-1 fips"
    description: "Testing of Elasticsearch pull requests - part-1 fips"
    workspace: "/dev/shm/elastic+elasticsearch+pull-request+part-1-fips"
    scm:
      - git:
          refspec: "+refs/pull/${ghprbPullId}/*:refs/remotes/origin/pr/${ghprbPullId}/*"
          branches:
            - "${ghprbActualCommit}"

---
- job:
    name: "elastic+elasticsearch+pull-request+part-2-fips"
    display-name: "elastic / elasticsearch - pull request part-2 fips"
    description: "Testing of Elasticsearch pull requests - part-2 fips"
    workspace: "/dev/shm/elastic+elasticsearch+pull-request+part-2-fips"
    scm:
      - git:
          refspec: "+refs/pull/${ghprbPullId}/*:refs/remotes/origin/pr/${ghprbPullId}/*"
          branches:
            - "${ghprbActualCommit}"

# This file is used as part of a matrix build in Jenkins where the
# values below are included as an axis of the matrix.

# java11 should always be included as we only support Oracle Java 11 in
# FIPS 140-2 mode. 
# We also want to test with the bundled JDK so that we proactively find
# issues that might later be backported to JDK11. Current bundled JDK is
# openjdk16

ES_RUNTIME_JAVA:
  - java11

property `tests.bwc.git_fetch_latest` to `false` and the BWC builds will skip
fetching the latest from the remote.

== Testing in FIPS 140-2 mode

We have a CI matrix job that periodically runs all our tests with the JVM configured
to be FIPS 140-2 compliant with the use of the BouncyCastle FIPS approved Security Provider.
FIPS 140-2 imposes certain requirements that affect how our tests should be set up or what

This directory holds snapshots of the crypto/internal/fips140 tree
that are being validated and certified for FIPS-140 use.
The file x.txt (for example, inprocess.txt, certified.txt)
defines the meaning of the FIPS version alias x, listing
the exact version to use.

The zip files are created by cmd/go/internal/fips140/mkzip.go.
The fips140.sum file lists checksums for the zip files.

    String jobBranch = System.getenv('ghprbTargetBranch') ?: System.getenv('JOB_BRANCH')

    tag OS.current().name()
    tag Architecture.current().name()

    // Tag if this build is run in FIPS mode
    if (BuildParams.inFipsJvm) {
      tag 'FIPS'
    }

    // Automatically publish scans from Elasticsearch CI
    if (jenkinsUrl?.host?.endsWith('elastic.co') || jenkinsUrl?.host?.endsWith('elastic.dev')) {
      publishAlways()

# SHA256 checksums of snapshot zip files in this directory.
# These checksums are included in the FIPS security policy
# (validation instructions sent to the lab) and MUST NOT CHANGE.
# That is, the zip files themselves must not change.
#
# It is okay to add new zip files to the list, and it is okay to
# remove zip files from the list when they are removed from
# this directory. To update this file:
#
#	go test cmd/go/internal/fips140 -update
#